[原文]A non-default configuration in TenFour TFS Gateway 4.0 allows an attacker to cause a denial of service via messages with incorrect sender and recipient addresses, which causes the gateway to continuously try to return the message every 10 seconds.

-
漏洞信息

-
公告与补丁

This can be solved by changing the way that TFS handles failed messages. By turning off the "returning the original message" to the sender of a message, this vulnerability is avoided. TenFour has made a fixed version of TFS Gateway available to its customers from its website at:http://www.tenfour.se The non-vulnerable version is build 219 and later, and does not allow the full message to be returned to the sender in the event of failure.

-
漏洞信息 (19477)

source: http://www.securityfocus.com/bid/613/info
TFS Gateway 4.0, when configured in a specific non-default manner, is vulnerable to a remotely exploitable denial of service attack. If 'return entire message to sender' is enabled for failed send attempts, and an email is sent to the TFS Gateway with 1: the From: address set to an invalid address on a remote machine and 2: an invalid To: address on the target machine, the gateway will attempt to return the complete message once every 10 seconds until an administrator manually stops it. If enough emails of sufficient size of this nature are sent it can lead to a degradation or denial of service.
telnet to Gateway smtp server and enter the following commands:
HELO
MAIL FROM: invalid@remote.com
RCPT TO: invalid@target.com
DATA
.
QUIT

-
漏洞信息

漏洞作者:
The credit for this vulnerability being exposed goes to "FableMan / Noxidus / #HACK on IRC-Net".
The information was emailed to Security Focus on August 30, 1999.

-
受影响的程序版本

TFS Gateway 4.0
TFS Gateway 4.0 Build 219

-
不受影响的程序版本

TFS Gateway 4.0 Build 219

-
漏洞讨论

TFS Gateway 4.0, when configured in a specific non-default manner, is vulnerable to a remotely exploitable denial of service attack. If 'return entire message to sender' is enabled for failed send attempts, and an email is sent to the TFS Gateway with 1: the From: address set to an invalid address on a remote machine and 2: an invalid To: address on the target machine, the gateway will attempt to return the complete message once every 10 seconds until an administrator manually stops it. If enough emails of sufficient size of this nature are sent it can lead to a degradation or denial of service.

-
漏洞利用

telnet to Gateway smtp server and enter the following commands:

HELO MAIL FROM: invalid@remote.comRCPT TO: invalid@target.comDATA

.QUIT

-
解决方案

This can be solved by changing the way that TFS handles failed messages. By turning off the "returning the original message" to the sender of a message, this vulnerability is avoided.

TenFour has made a fixed version of TFS Gateway available to its customers from its website at:
http://www.tenfour.se
The non-vulnerable version is build 219 and later, and does not allow the full message to be returned to the sender in the event of failure.